<?PHP

$THISFILE  = 'iwachat.html';  // The name of this file
$COPYRIGHT = '/' . '*' . "
 *
 * $THISFILE - InfoWest Ajax Chat
 *
 * Version 0.2.1
 *
 * Written by Aaron D. Gifford - http://www.adg.us/
 * Copyright (c) 2005 by InfoWest, Inc. - All Rights Reserved
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, the above list of authors and contributors, this list of
 *    conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. Neither the name of the author(s) or copyright holder(s) nor the
 *    names of any contributors may be used to endorse or promote products
 *    derived from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER(S), AUTHOR(S) AND
 * CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
 * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
 * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL
 * IN NO EVENT SHALL THE COPYRIGHT HOLDER(S), AUTHOR(S), OR CONTRIBUTORS BE
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * DCONSEQUENTIAL AMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
 * THE POSSIBILITY OF SUCH DAMAGE.
 *
" . ' *' . '/';

// ====================
// BEGIN CONFIGURATION:
// ====================

// Database connection information:
$DBNAME = 'dbname';
$DBHOST = 'IP.OF.HO.ST';
$DBUSER = 'dbuser';
$DBPASS = 'dbpassword';

// Limits on message size:
$MAXMSGSIZE  = 1024;
$MAXMSGLINES = 8;

// Maximum umber of messages in message history to display when a user enters
// the chat room:
$MESSAGEHISTORY = 50;
// Maximum age of message history (in seconds - 86400 is 24 hours):
$HISTORYAGE = 86400 * 7;

// Chat server secret (do not reveal):
$CHATSECRET = "SERVER CHAT SECRET HERE";

// Name of this server (used to send server messages):
// (No double-quotes allowed!)
$SERVERNAME = "Chat Server";

// If the web server this script runs on operates behind one or more known
// reverse proxies, list the IPs in the array below:
$KNOWN_REVERSEPROXIES = array("IP.OF.PRO.XY");

// How long a user can go without an Ajax polling connection before
// they're considered "Offline" (in seconds).  Don't set it too short,
// or clients will "bounce" offline then back online.
$IDLETIMEOUT = 30;

// How often should the client poll the server for updates (in seconds)?
// (Too short, and things could get weird, too long and new messages will
// take too long to appear)
$POLLTIME = 2.5;

// ====================
// END OF CONFIGURATION
// ====================

/* CHAT DATABASE STRUCTURE:

  CREATE TABLE `chatsessions` (
   `id` int(10) unsigned NOT NULL auto_increment,
   `ip` varchar(15) NOT NULL default '',
   `starttime` int(10) unsigned NOT NULL default '0',
   `updatetime` int(10) unsigned NOT NULL default '0',
   `chatid` varchar(32) NOT NULL default '',
   `nickname` varchar(16) NOT NULL default '',
   `lastpoll` int(10) unsigned NOT NULL default '0',
   `status` tinyint(3) unsigned NOT NULL default '0',
   PRIMARY KEY  (`id`),
   KEY `chatid` (`chatid`),
   KEY `status` (`status`),
   KEY `updatetime` (`updatetime`)
 );

 CREATE TABLE `msgstore` (
   `id` int(10) unsigned NOT NULL auto_increment,
   `csid` int(10) unsigned NOT NULL default '0',
   `nickname` varchar(16) NOT NULL default '',
   `timestamp` int(10) unsigned NOT NULL default '0',
   `body` mediumtext NOT NULL,
   PRIMARY KEY  (`id`),
   KEY `nickname` (`nickname`),
   KEY `timestamp` (`timestamp`)
 );

*/ 

// Table `msgstore`:
//     id        - Message id
//     csid      - Chat session id (see below table)
//     nickname  - Nickname of user
//     timestamp - Time message was sent
//     body      - Actual message
// Table `chatsessions`:
//    id         - Database id
//    ip         - Client IP address
//    starttime  - Time client began session
//    updatetime - Time client session last changed status
//    chatid     - MD5(server secret + database id + and client IP + starttime)
//    nickname   - Nickname of user
//    lastpoll  - Time of last client activity
//    status     - Status of client (0 = offline, 1 = online)

function display_main($chatid, $nickname) {
  global $COPYRIGHT;
  global $THISFILE;
  global $POLLTIME;
  global $SERVERNAME;
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
  <head>
    <title>IWA Chat Room</title>
    <script type="text/javascript">
      <!--

<?PHP print $COPYRIGHT; ?>

// Globals:
var qa = Array();     // Array of asynch. XML document request objects
var msgs = Array();   // Message IDs seen (to avoid duplicates)
var newsince = 0;     // Timestamp of most recently received message
var chatid = "<?PHP print $chatid; ?>";
var mynickname = "<?PHP print $nickname; ?>";
var servername = "<?PHP print $SERVERNAME; ?>";
var timeoutid = 0;

function reqDoc(addr, postdata) {
  var q = null;

  // Does the browser have native support for XMLHttpRequest?
  if (window.XMLHttpRequest) {
    // Yes, so use it!
    q = new XMLHttpRequest();
  // Otherwise, try for MSIE ActiveX:
  }  else if (window.ActiveXObject) {
    q = new ActiveXObject("Microsoft.XMLHTTP");
  }
  // Hopefully this worked and we have a request object...
  if (q) {
    q.onreadystatechange = gotDoc;
    if (postdata) {
      q.open('POST', addr, true);
      q.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
      q.send(postdata);
    } else {
      q.open('GET', addr, true);
      q.send(null);
    }
    qa.push(q);
  }
}

function poll() {
  reqDoc("<?PHP print $THISFILE; ?>", "chatid=" + chatid + "&timestamp=" + newsince);
  timeoutid = 0;
}

function gotDoc() {
  var na = Array();

  // Scan all outstanding queries to see if any are complete:
  for (var i = 0; i < qa.length; i++) {
    var q = qa[i];

    // Wait for "complete" state (4):
    if (q.readyState == 4) {
      if (q.status == 200) {
        // Success!
        handleDoc(q.responseText);

        // Set timer to poll for new content regularly:
        if (!timeoutid) {
          timeoutid = window.setTimeout(poll, <?PHP print $POLLTIME; ?> * 1000)
        }
      }
    } else {
      na.push(q);
    }
  }
  // Update the list of outstanding queries:
  qa = na;
}
      
function handleDoc(txt) {
  var lines;

  // Quick sanity check:
  if (txt == null || txt.length == 0) {
    throw "handleDoc(): Illegal/invalid response from chat server: null or empty response.";
  }

  // Reload document on error:
  if (txt == "ERROR") {
    document.location.reload();
    return;
  }

  lines = txt.split("\n");

  // Trim off trailing empty line:
  if (lines[lines.length-1] == '') {
    lines.pop();
  }

  while (lines.length >= 2) {
    var cmd;
    var arglen;
    var arglines;

    cmd = lines.shift();
    arglen = lines.shift();

    // Quick sanity check:
    if (arglen < 0 || arglen > lines.length) {
      throw "handleDoc(): Illegal/invalid response from chat server: line length "+ arglen + " is either negative or greater than " + lines.length + " lines.";
    }

    arglines = lines.splice(0, arglen);
  
    // Three kinds of results: "MESSAGE", "ROSTER", and "NOOP"
    if (cmd == "MESSAGE") {
      // For "MESSAGE" responses:
      //   The first line contains the nickname of the author of
      //   the message, the second line has the message ID, and
      //   the third contains the message timestamp.  The fourth
      //   line is an integer number of subsequent lines that form
      //   the message body/contents.
      while (arglines.length > 4) {
        var user;
        var id;
        var ts;
        var msgbody;
        var msglen;

        user    = arglines.shift();
        id      = arglines.shift();
        ts      = arglines.shift();
        msglen  = arglines.shift();

        // A little sanity check on the server-supplied data:
        if (msglen < 0 || msglen > arglines.length) {
          throw "handleDoc(): Illegal/invalid response from chat server: line length "+ msglen + " is either negative or greater than " + arglines.length + " lines.";
        }

        msgbody = arglines.splice(0, msglen);
        appendMessage(user, id, ts, msgbody.join("\n"));
      }
    } else if (cmd == "ROSTER") {
      // For "ROSTER" responses:
      //   The response is in groups of three lines and will always
      //   contain at least one group of three lines.  The first line
      //   of a group contains a nickname, the second line contains
      //   the timestamp of the most recent status update, and the
      //   third line contains the user's status.  Valid/known
      //   status values are:  "Online", "Away", and "Offline".
      //   It is recommended that the application NOT display users
      //   that are "Offline" since this isn't an IM system and a
      //   user may not ever return to the chat board.  In fact,
      //   the server will ONLY send an "Offline" roster update for
      //   a user once, when that user departs the channel.
      while (arglines.length >= 3) {
        var user;
        var ts;
        var status;

        user   = arglines.shift();
        ts     = arglines.shift();
        status = arglines.shift();
        updateRoster(user, ts, status);
      }
    } else if (cmd == "NOOP") {
      // The "NOOP" response is a response to a request that doesn't
      // require any informative response.  Do nothing.
    }
  }
  if (lines.length > 0) {
    throw "handleDoc(): Illegal/invalid response from chat server: "+ lines.length + " extra/spurious response lines received.";
  }
}

function appendMessage(user, id, ts, msg) {
  var div;
  var span;
  var text;
  var date;
  var list;
  var item;
  var box;
  var lines;
  var color;
  var line;

  if (newsince < ts) {
    newsince = ts;
  }

  if (msgs[id]) {
    // We've already handled this message before.
    return;
  }
  msgs[id] = 1;

  // Color messages by who sent them (not accurate on join):
  if (user == mynickname) {
    color = "#ff8899";
  } else if (user == servername) {
    color = "#9988ff";
  } else {
    color = "#dfeaff";
  }

  date = new Date();
  date.setTime(ts * 1000);
  date = date.toLocaleTimeString();

  div = document.createElement("div");
  div.id = "messageid_" + id;
  div.className = "msgitem";

  span = document.createElement("span");
  span.className = "msgfrom";
  text = document.createTextNode(user);
  span.appendChild(text);
  span.style.color = color;
  div.appendChild(span);

  span = document.createElement("span");
  span.className = "msgtime";
  text = document.createTextNode(date);
  span.appendChild(text);
  span.style.color = color;
  div.appendChild(span);

  list = document.createElement("div");
  list.className = "msgbody";
  lines = msg.split("\n");
  if (lines[lines.length-1] == '') {
    lines.pop();
  }
  while (lines.length) {
    line = lines.shift();
    if (line.length > 100 && line.indexOf(' ') > 100) {
      var tmp = line.substring(100, line.length);
      line = line.substring(0,100);
      lines.unshift(tmp);
    }
    item = document.createElement("div");
    item.className = "msgline";
    text = document.createTextNode(line);
    item.appendChild(text);
    item.style.color = color;
    list.appendChild(item);
  }
  div.appendChild(list);

  box = document.getElementById("messagebox");
  box.appendChild(div);
  box.scrollTop = box.scrollHeight;
}

function updateRoster(user, ts, status) {
  var box;

  if (newsince < ts) {
    newsince = ts;
  }

  box = document.getElementById("rosterbox");

  if (status == "Offline") {
    var item;

    item = document.getElementById("rosteritem_" + user);
    if (item) {
      box.removeChild(item);
    }
  } else {
    var span;
    var text;

    span = document.getElementById("rosterstatus_" + user);
    if (span) {
      text = document.createTextNode(status);
      span.replaceChild(text, span.childNodes[0]);
    } else {
      var item;

      item = document.createElement("div");
      item.className = "rosteritem";
      item.id = "rosteritem_" + user;

      span = document.createElement("span");
      span.className = "rostername";
      text = document.createTextNode(user);
      span.appendChild(text);
      item.appendChild(span);

      span = document.createElement("span");
      span.className = "rosterstatus";
      span.id = "rosterstatus_" + user;
      text = document.createTextNode(status);
      span.appendChild(text);
      item.appendChild(span);

      box.appendChild(item);
    }
  }
}

//function handleEvent(e) {
//  // Multi-browser event handling:
//  e = (e) ? e : ((window.event) ? window.event : null);
//  if (e) {
//    // Multi-browser event target handling:
//    var t = (e.target) ? e.target : ((e.srcElement) ? e.srcElement : null);
//    if (t) {
//
//    }
//  }
//}

function getViewWidth() {
  var width = 0;
  if (typeof(window.innerWidth) == 'number') {
    width = window.innerWidth;
  }
  if (document.body && typeof(document.body.clientWidth) == 'number' && document.body.clientWidth > width) {
    width = document.body.clientWidth;
  }
  if (document.documentElement && typeof(document.documentElement.clientWidth) == 'number' && document.documentElement.clientWidth > width) {
    width = document.documentElement.clientWidth;
  }
  return width;
}

function getViewHeight() {
  var height = 0;
  if (typeof(window.innerHeight) == 'number') {
    height = window.innerHeight;
  }
  if (document.body && typeof(document.body.clientHeight) == 'number' && document.body.clientHeight > height) {
    height = document.body.clientHeight;
  }
  if (document.documentElement && typeof(document.documentElement.clientHeight) == 'number' && document.documentElement.clientHeight > height) {
    height = document.documentElement.clientHeight;
  }
  return height;
}

function sendMessage() {
  var field;

  field = document.getElementById('textfield');
  reqDoc("<?PHP print $THISFILE; ?>",
         "chatid=" + chatid +
         "&timestamp=" + newsince +
         "&message=" + escape(field.value));
  field.value = '';
  field.focus();
  return false;
}

function handleResize() {
  var height = getViewHeight() - 60;
  var width  = getViewWidth() - 35;
  var box;

  if (height < 200 || width < 300) {
    return;
  }

  box = document.getElementById('messagebox');
  box.style.width = (width - 150) + "px";
  box.style.height = height + "px";

  box = document.getElementById('rosterbox');
  box.style.height = height + "px";

  box = document.getElementById('textfieldspan');
  box.style.width = (width - 150) + "px";

  box = document.getElementById('textfield');
  box.style.width = (width - 158) + "px";

  box = document.getElementById("messagebox");
  box.scrollTop = box.scrollHeight;

  focusForm();
}

function focusForm() {
  var field = document.getElementById('textfield');
  field.focus();
}

window.onload = function() {
  focusForm();
  reqDoc("<?PHP print $THISFILE; ?>", "chatid=" + chatid + "&timestamp=0&getroster=1");
  handleResize();
}

window.onresize = handleResize;

-->
    </script>
    <style type="text/css">
body {
  margin:            5px;
  border:            0;
  padding:           0;
  background-color:  #114488;
  font-family:       Trebuchet MS, Trebuchet, Verdana, Geneva, Arial, sans-serif;
  font-size:         0.9em;
  text-decoration:   none;
  color:             #dfeaff;
}

#messagebox {
  display:           block;
  margin:            0;
  padding:           2px;
  border:            1px solid #deb881;
  float:             left;
  background-color:  #203040;
  height:            500px;
  width:             550px;
  overflow:          scroll;
}

#rosterbox {
  display:           block;
  margin:            0;
  padding:           2px;
  border:            1px solid #deb881;
  float:             right;
  background-color:  #4020a0;
  width:             150px;
  height:            500px;
  overflow:          scroll;
}

.rosteritem {
  display:           block;
  margin:            0;
  border:            0;
  padding:           2px;
  clear:             both;
}

.rostername {
  display:           inline;
  margin:            0;
  border:            0;
  padding:           0;
  float:             left;
  font-size:         0.8em;
  font-weight:       bold;
}

.rosterstatus {
  display:           inline;
  margin:            0;
  border:            0;
  padding:           0px 0px 0px 5px;
  float:             right;
  font-size:         0.8em;
  font-style:        italic;
}

#formbox {
  display:           block;
  margin:            10px 0px 0px 0px;
  border:            1px solid #deb881;
  padding:           3px;
  clear:             both;
  position:          fixed;
  bottom:            5px;
  left:              5px;
}

#msgform {
  display:          inline;
  margin:           0;
  border:           0;
  padding:          0;
}

#msglegend {
  display:           inline;
  margin:            0;
  border:            1px solid #114488;
  padding:           0px 4px 0px 4px;
  text-align:        center;
  font-size:         1em;
  font-weight:       bold;
  text-decoration:   none;
  height:            20px;
}

#textfield {
  margin:            0;
  border:            0;
  padding:           0;
  background-color:  #a0c0f0;
  background:        transparent;
  color:             #001144;
  width:             542px;
  height:            20px;
}
  
#textfieldspan {
  display:           inline;
  margin:            0px 0px 0px 5px;
  border:            1px solid #deb887;
  padding:           0px 4px 0px 4px;
  text-align:        center;
  background-color:  #a0c0f0;
  color:             #001144;
  width:             550px;
  height:            20px;
}

#sendbtn {
  display:           inline;
  margin:            0px 0px 0px 10px;
  border:            1px solid #deb881;
  padding:           0px 4px 0px 4px;
  background-color:  #660000;
  text-align:        center;
  color:             #deb887;
  font-size:         1em;
  font-weight:       bold;
  text-decoration:   none;
  height:            20px;
}

#sendbtn:hover {
  text-decoration:   none;
  background-color:  #330000;
  color:             #dd9900;
}

.msgitem {
  display:           block;
  clear:             both;
  margin:            0;
  border:            0;
  padding:           2px;
}

.msgfrom {
  display:           inline;
  margin:            0;
  border:            0;
  padding:           0;
  font-weight:       bold;
}

.msgtime {
  display:           inline;
  margin:            0;
  border:            0;
  padding:           0px 0px 0px 10px;
  font-weight:       normal;
  font-size:         0.9em;
}

.msgbody {
  display:           block;
  margin:            0;
  padding:           0px 5px 0px 5px;
  border:            0;
}

.msgline {
  display:           block;
  margin:            0;
  border:            0;
  padding:           0;
}

    </style>
  </head>
  <body>
    <div id="messagebox"></div>
    <div id="rosterbox"></div>
    <div id="formbox"> 
      <form action="" method="get" id="msgform" onsubmit="sendMessage(); return false">
        <span id="msglegend">Message:</span>
        <span id="textfieldspan">
          <input type="text" name="messagetext" id="textfield" value="" tabindex="1" />
        </span>
      </form>
      <a href="javascript: void(sendMessage())" id="sendbtn" tabindex="2">Send</a>
    </div>
  </body>
</html>
<?PHP
  exit();
}

function display_nickform($msg='') {
  global $THISFILE;
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
  <head>
    <title>IWA Chat Room - Choose a Nickname</title>
  </head>
  <body>
    <?PHP if ($msg) { print "<b>$msg</b><br>\n"; } ?>
    <form action="<?PHP print $THISFILE; ?>" method="POST">
      <b>Nickname:</b>
      <input type="text" name="nickname" id="nickname" value="" length="16">
      <input type="submit" name="Submit" value="Submit">
    </form>
  </body>
</html>
<?PHP
  exit();
}

// PHP Globals:
// $db - mysqli database connection object
$db = NULL;
// Client IP address:
$ip = '';

function dbconnect() {
  global $db;
  global $DBHOST;
  global $DBUSER;
  global $DBPASS;
  global $DBNAME;

  if (is_null($db)) {
    $db = new mysqli($DBHOST, $DBUSER, $DBPASS, $DBNAME);
    if (mysqli_connect_errno()) {
      throw new Exception("Unable to connect to database '$DBNAME' on host '$DBHOST' as user '$DBUSER': (" . mysqli_connect_errno() . ') ' . mysqli_connect_error());
    }
  }
}

// Houskeeping function - Clean out old expired sessions:
function update_sessions($db) {
  global $IDLETIMEOUT;
  global $DBNAME;
  global $SERVERNAME;

  // Prevent parallel updates:
  $db->query("LOCK TABLES `chatsessions` WRITE");

  $result = $db->query("SELECT `id`, `nickname`, `ip`, `lastpoll` FROM `chatsessions` WHERE `status` != '0' AND `lastpoll` + $IDLETIMEOUT < UNIX_TIMESTAMP()");
  if (!$result) {
    throw new Exception("Unable to SELECT from session table of '$DBNAME' database: (" . $db->errno . ") " . $db->error);
  }
  while (($row = $result->fetch_assoc()) != NULL) {
    // Hope these queries work, because we're ignoring errors...
    $db->query("UPDATE `chatsessions` SET `status` = '0', `updatetime` = UNIX_TIMESTAMP() WHERE `id` = '" . $row['id'] . "'");
    $db->query("INSERT INTO `msgstore` (`csid`,`nickname`, `timestamp`, `body`) VALUES (" .
                   "'" . $row['id'] . "', " .
                   "'" . $db->real_escape_string($SERVERNAME) . "', " .
                   "'" . ($row['lastpoll'] + $IDLETIMEOUT) . "', " . 
                   "'*** " . $db->real_escape_string($row['nickname']) .
                   " [" . $db->real_escape_string($row['ip']) . "] " .
                   "has departed the chat room. ***')");
  }
  $result->free();
  $db->query("UNLOCK TABLES");
}


// Get the remote client IP address:
$ip = $_SERVER['REMOTE_ADDR'];
// If this web site operates behind a known remote proxy, find the actual client IP:
for ($i = 0; $i < count($KNOWN_REVERSEPROXIES); $i++) {
  if (!strcmp($ip,$KNOWN_REVERSEPROXIES[$i]) && isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
    $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
    break;
  }
}

if (isset($_POST['nickname'])) {
  // Check to see if nickname is permitted and if it is unique
  $nickname = $_POST['nickname'];
  // Sanity check nickname - Limit the character set greatly
  // No double-quotes allowed!
  if (!preg_match('/^[a-zA-Z0-9._ -]{1,20}$/', $nickname) || !strcmp($SERVERNAME, $nickname)) {
    display_nickform("Invalid nickname.  Please choose another.");
  }

  // Connect to the database:
  dbconnect();

  // Update old sessions:
  update_sessions($db);

  // Is the nickname unique?
  $result = $db->query("SELECT `id` FROM `chatsessions` WHERE `nickname` = '" . $db->real_escape_string($nickname) . "' AND `status` != '0'");
  if (!$result) {
    throw new Exception("Unable to perform SELECT query on session table in database '$DBNAME' to check for duplicate nicknames: (" .  $db->errno . ") " . $db->error);
  }
  if ($result->num_rows != 0) {
    $db->close();
    display_nickform("The nickname <b>" . $nickname . "</b> is already in use.  Please choose another.");
  }
  $result->free();

  // Create a new session in the database:
  if ($db->query("INSERT INTO `chatsessions` (`ip`, `starttime`, `updatetime`, `nickname`, `lastpoll`, `status`) VALUES ('" . $db->real_escape_string($ip) . "', UNIX_TIMESTAMP(), UNIX_TIMESTAMP(), '" . $db->real_escape_string($nickname) . "', UNIX_TIMESTAMP(), 1)") !== TRUE) {
    throw new Exception("Unable to perform INSERT query on '$DBNAME' database: (" . $db->errno . ") " . $db->error);
  }
  // Fetch the database session ID:
  $id = $db->insert_id;

  // Fetch the timestamp for the session start from the database:
  $result = $db->query("SELECT `starttime` FROM `chatsessions` WHERE `id` = '$id'");
  if (!$result) {
    throw new Exception("Unable to perform SELECT query on '$DBNAME' database: (" . $db->errno . ") " . $db->error);
  }
  if ($result->num_rows != 1) {
    throw new Exception("SELECT query on '$DBNAME' database did not return a single row as expected, but returned " . $result->num_rows . " rows instead.");
  }
  $row = $result->fetch_assoc();
  $ts = $row['starttime'];
  $result->free();

  // Generate a new MD5 session identifier:
  $chatid = md5($CHATSECRET . $nickname .  $id . $ip . $ts);

  // Now update the session in the database:
  if ($db->query("UPDATE `chatsessions` SET `chatid` = '$chatid' WHERE `id` = '$id'") !== TRUE) {
    throw new Exception("Unable to perform UPDATE query on '$DBNAME' database: (" . $db->errno . ") " . $db->error);
  }

  // Insert a new server message:
  if ($db->query("INSERT INTO `msgstore` (`csid`, `nickname`, `timestamp`, `body`) VALUES (" .
                 "'" . $id . "', '" .
                 $db->real_escape_string($SERVERNAME) . "', UNIX_TIMESTAMP(), '*** " .
                 $db->real_escape_string($nickname) . " [" . $db->real_escape_string($ip) .
                 "] has entered the chat room. ***')") !== TRUE) {
    throw new Exception("Unable to INSERT a new server message into the '$DBNAME' database: (" . $db->errno . ") " . $db->error);
  }

  $db->close(); 
  display_main($chatid, $nickname);
}

if (strcmp($_SERVER['REQUEST_METHOD'], "POST")) {
  // Non-posts get the nickname login form:
  display_nickform();
}
  
// If 'chatid' is set by a POST, then this is an Ajax query:
if (isset($_POST['chatid'])) {
  $error = '';
  $chatid = $_POST['chatid'];

  // VERY CAREFULLY sanity-check the timestamp.  It's used unescaped in SQL
  // queries, so it MUST BE CLEAN to avoid SQL injection bugs.
  if (!isset($_POST['timestamp']) || !preg_match('/^\d{1,20}$/', $_POST['timestamp'])) {
    $timestamp = 0;
  } else {
    $timestamp = $_POST['timestamp'];
  }

  if (isset($_POST['getroster']) && !strcmp($_POST['getroster'], "1")) {
    $getroster = TRUE;
  } else {
    $getroster = FALSE;
  }
  if (isset($_POST['message'])) {
    $message = $_POST['message'];
    $message = preg_replace('/\n+$/s', '', $message);
    $message = preg_replace('/^\n+/s', '', $message);
    if (strlen($message) > $MAXMSGSIZE || count(preg_split('/\n/', $message)) > $MAXMSGLINES) {
      $error = "*** Your message was refused because it was too long or contained too many lines. ***";
      $message = FALSE;
    }
  } else {
    $message = FALSE;
  }

  // Connect to the database:
  dbconnect();

  // Update old sessions:
  update_sessions($db);

  // Extract the session information from the database:
  $result = $db->query("SELECT `id`, `status`, `ip`, `nickname`, UNIX_TIMESTAMP() as `timestamp` FROM `chatsessions` WHERE `chatid` = '" . $db->real_escape_string($chatid) . "'");
  if (!$result) {
    throw new Exception("Unable to perform SELECT query on '$DBNAME' database: (" . $db->errno . ") " . $db->error);
  }
  if ($result->num_rows == 0) {
    // No such session!
    $db->close();
    header("Content-type: text/plain");
    print "ERROR";
    exit();
  }
  if ($result->num_rows != 1) {
    throw new Exception("SELECT query on '$DBNAME' database did not return a single row as expected, but returned " . $result->num_rows . " rows instead.");
  }
  $row = $result->fetch_assoc();
  if (strcmp($ip, $row['ip'])) {
    // Client IP address doesn't match!  Stolen session?
    $db->close();
    header("Content-type: text/plain");
    print "ERROR";
    exit();
  }
  $id = $row['id'];
  $status = $row['status'];
  $nickname = $row['nickname'];
  $ts = $row['timestamp'];
  $result->free();

  // Valid session, so update "lastpoll" field:
  if ($db->query("UPDATE `chatsessions` SET `lastpoll` = '$ts' WHERE `id` = '$id'") !== TRUE) {
    throw new Exception("UPDATE query on '$DBNAME' failed while updating session idle timestamp: (" . $db->errno . ") " . $db->error);
  }

  // If status == 0 (it shouldn't), then update:
  if ($status == 0) {
    $status = 1;
    if ($db->query("UPDATE `chatsessions` SET `status` = '1', `updatetime` = '$ts' WHERE `id` = '$id'") !== TRUE) {
      throw new Exception("UPDATE query on '$DBNAME' failed while updating session status: (" . $db->errno . ") " . $db->error);
    }
    // Insert status change message:
    if ($db->query("INSERT INTO `msgstore` (`csid`, `nickname`, `timestamp`, `body`) VALUES (" .
                   "'" . $id . "', '" .
                   $db->real_escape_string($SERVERNAME) . "', UNIX_TIMESTAMP(), '*** " .
                   $db->real_escape_string($nickname) . " [" . $db->real_escape_string($ip) .
                   "] is now online in the chat room. ***')") !== TRUE) {
      throw new Exception("Unable to INSERT a new server message into the '$DBNAME' database: (" . $db->errno . ") " . $db->error);
    }
  }

  // If the user sent a message, insert it into the database:
  if ($message) {
    // Insert status change message:
    if ($db->query("INSERT INTO `msgstore` (`csid`, `nickname`, `timestamp`, `body`) VALUES (" .
                   "'" . $id . "', '" .
                   $db->real_escape_string($nickname) . "', UNIX_TIMESTAMP(), '" .
                   $db->real_escape_string($message) . "')") !== TRUE) {
      throw new Exception("Unable to INSERT a new user message into the '$DBNAME' database: (" . $db->errno . ") " . $db->error);
    }
  }

  // Get roster updates:
  if ($getroster) {
    $result = $db->query("SELECT `nickname`, `status`, `updatetime` FROM `chatsessions` WHERE `status` != '0'");
  } else {
    $result = $db->query("SELECT `nickname`, `status`, `updatetime` FROM `chatsessions` WHERE `updatetime` > '$timestamp'");
  }
  if (!$result) {
    throw new Exception("Unable to SELECT from session table of '$DBNAME' database: (" . $db->errno . ") " . $db->error);
  }
  $roster = '';
  while (($row = $result->fetch_assoc()) != NULL) {
    $roster .= $row['nickname'] . "\n" . $row['updatetime'] . "\n";
    if ($row['status'] == 0) {
      $roster .= "Offline\n";
    } else if ($row['status'] == 1) {
      $roster .= "Online\n";
    } else {
      $roster .= "Away\n";
    }
  }
  $result->free();
  if (strlen($roster) > 0) {
    $roster = "ROSTER\n" . (count(preg_split('/\n/', $roster)) - 1) . "\n" . $roster;
  }

  // Get a list of new messages, or the last $MESSAGEHISTORY messages if this
  // is a new session:
  if ($timestamp) {
    $result = $db->query("SELECT `nickname`, `id`, `timestamp`, `body` FROM `msgstore` WHERE `timestamp` > '$timestamp' ORDER BY `timestamp` DESC");
  } else {
    $result = $db->query("SELECT `nickname`, `id`, `timestamp`, `body` FROM `msgstore` WHERE `timestamp` + $HISTORYAGE > UNIX_TIMESTAMP() ORDER BY `timestamp` DESC LIMIT $MESSAGEHISTORY");
  }
  if (!$result) {
    throw new Exception("Unable to SELECT from message storage table of '$DBNAME' database: (" . $db->errno . ") " . $db->error);
  }
  $messages = array();
  while (($row = $result->fetch_assoc()) != NULL) {
    $body = $row['body'];
    $body = preg_replace('/^\n+/s' ,'', $body);
    $body = preg_replace('/\n+$/s' ,'', $body);
    $messages[] = $row['nickname']  . "\n" .
                  $row['id']        . "\n" .
                  $row['timestamp'] . "\n" .
                  count(preg_split('/\n/', $body)) . "\n" .
                  $body . "\n";
  }
  $result->free();
  $db->close();
  $messages = array_reverse($messages);

  if (count($messages) > 0) {
    $messages = join('', $messages);
    $messages = "MESSAGE\n" .
                (count(preg_split('/\n/', $messages)) - 1) . "\n" .
                $messages;
  } else {
    $messages = '';
  }

  $response = $roster . $messages;
  if (strlen($response) == 0) {
    $response = "NOOP\n0\n";
  }

  // Return the Ajax response:
  header("Content-type: text/plain");
  print $response;
  exit();
}

throw new Exception("ERROR: Invalid POST resulted in invalid execution path!");